| | | Ecommerce Home | | | Accounts | | | Getting Started | | | Tools/Guides | | | Contact Us | | | Search | | |
| | | Ecommerce Home | | | Accounts | | | Getting Started | | | Tools/Guides | | | Contact Us | | | Search | | |
| AVAILABLE FOR: |  = IU -
www.indiana.edu, www.iupui.edu, www.iun.edu, www.iusb.edu,
www.iuk.edu
|
IU Internet Payment Authorization System (IPAS)
Technical Guide
Table of Contents
Who should read this document?
What is IPAS and how does it work?
How do I get started?
How do I get the ipasagent.cgi program?
How do I integrate IPAS with my storefront software?
How can I test my storefront without going 'live' with the public?
How do I 'go live'?
Who should read this document?
IU merchants who run their own secure web server with Internet storefront software and want to accept credit card payments via their website for University-related goods and services.
What is IPAS and how does it work?
The IU Internet Payment Authorization Service (IPAS) is the University-supported method for IU merchants to obtain authorization for credit card payments for purchases made at their website storefronts.
Important Note During the authorization process, IPAS never retains a customer's credit card information in any form within the IPAS server computer nor does it communicate the information to any other recipient other than the Verisign CashRegister Service.IPAS currently can process credit card payments for customers using VISA, MasterCard, Discover and American Express. Contact the Office of the Treasurer for more information about card support.
IPAS uses the commercial Verisign CashRegister Service to perform the necessary credit card authorization function from a central IU server. This server computer contains the secure WWW server and the IPAS software (Verisign- and UITS-developed) that is used for processing a credit card payment request authorization that originates from a customer using a WWW browser.
IPAS has two main components, the single, official University Credit Card Data Entry Form into which customers enter their credit card information, and a supplied CGI program called ipasagent.cgi. IU merchants running their own secure web server access IPAS by integrating the use of the credit card data entry form and customizing portions of ipasagent.cgi for use with their storefront software.
It is the ipasagent.cgi program which accepts requests from the central IPAS server for purchase amounts associated with in-progress transactions at your website storefront. It also accepts replies from the central IPAS server concerning the outcome of the authorization attempt so that you may take appropriate actions to complete the transaction.
The basic steps in authorizing a credit card purchase with IPAS are described below.
- In order to put the authorization process in motion, the website storefront supplies an HTML form document which is displayed to the customer when they are finished shopping and are ready to select a payment method. At this point the storefront software has generated an Order Id (compatible with IPAS and discussed later) as a hidden variable within the document, and it has recorded all the information about the purchase. The user selects immediate credit card payment and the form is sent on to the IPAS server.
- The IPAS server responds by displaying the University Credit Card Data Entry Form at the customer's browser. The customer enters credit card data into the form to make payment. The form has a button which the customer can use to request authorization of their credit card information. When the customer presses this button, the form is sent back to the IPAS server and the authorization attempt begins.
- First, the IPAS server sends the Order Id to the ipasagent.cgi program on the merchant's website storefront and requests the amount of the purchase corresponding to the Order Id. The ipasagent.cgi program responds back to the IPAS server with the total purchase amount or an error code denoting some problem.
- Second, the IPAS server receives the amount of the purchase and submits the credit card data and purchase amount for authorization to Verisign. The result of the authorization attempt is then sent back to the IPAS server from Verisign.
- Third, the IPAS server sends the Order Id and the outcome of the authorization attempt to the ipasagent.cgi program on the merchant's website storefront. Based on the outcome received by ipasagent.cgi, the storefront software performs any necessary updates to databases, etc. before responding back to the IPAS server.
- Finally, the ipasagent.cgi program responds back to the IPAS server with a full URL to some location within the merchant's website storefront that the customer's browser will be redirected to.
How do I get started?
- First, you should contact the Office of the Treasurer for a needs assessment, assistance in obtaining University ledger and Verisign accounts and familiarization with the Verisign Administrative Interface. Information about making these arrangements with the IU Treasurer is available.
- Second, you should apply for and obtain an Information Provider account on the central University web server, Veritas. The account name is required because it will be used for merchant identification purposes by IPAS and also allow access to the University-supplied software you will need to obtain and integrate into your storefront software in order to use IPAS.
Information about applying for a central web server account is available.
- When you apply for your account, be sure to indicate that the account is being requested in support of becoming an Internet merchant in cooperation with the Office of the Treasurer.
- When you obtain your account name, notify the Office of the Treasurer so that they can register it with IPAS so that you can test your access to IPAS and Verisign later on.
- Third, since you will not be using the central University WWW servers for hosting your storefront, you must:
- Demonstrate that the computer hosting the storefront is in compliance with the guidelines of the Office of the Treasurer and the University Information Technology Policy Office.
- Agree to use the University-supplied ipasagent.cgi software, and not bypass or modify specific functions within it in the process of integrating it with your storefront software.
How do I get the ipasagent.cgi program?
Follow the steps below to retrieve and install a copy of the template ipasagent.cgi program:
- Important: You will need the account name and password that you received with your central WWW server account to retrieve a copy of the ipasagent.cgi program.
- You should decide where the ipasagent.cgi program will reside within your secure web server's CGI file area. This is important because you will be registering the resulting URL to the ipasagent.cgi program with the Office of the Treasurer.
- If possible, open a web browser on the computer that runs your secure web server and go to the location below. Enter your central WWW server account name and password when prompted and the text of the ipasagent.cgi program should appear.
http://www.indiana.edu/~estore/ipasagent/get-ipasagent-pf.cgi
- Save the document as ipasagent.cgi (plain text) into the location you decided on in step 2 above.
- Edit the ipasagent.cgi program and insert values for the variables in the section marked 'MERCHANT-SPECIFIC VARIABLES'. These variables are shown below.
$IPAS_ValidMerchantName = "{insert account name here}"; $IPAS_AuthSuccessURL = "{insert full URL here}"; $IPAS_AuthFailureURL = "{insert full URL here}";
- Any ipasagent.cgi program portions between the banners shown below should not be modified or bypassed.
################################################################# # START OF OF SECTION THAT MUST NOT BE MODIFIED OR BYPASSED *** ################################################################# ################################################################# # END OF SECTION THAT MUST NOT BE MODIFIED OR BYPASSED *** #################################################################
How do I integrate IPAS with my storefront software?
- First, your website storefront must display a 'launch' form on the customer's browser which has a button on it that the user can press to link to the University Credit Card Data Entry Form and enter their credit card information.
The format of the required METHOD and ACTION parameters within the <FORM></FORM> block is shown below:<FORM METHOD="POST" ACTION="https://ipaspf.iu.edu/~ipas/ipas.cgi">
This <FORM></FORM> block contains hidden variables that you can set which are used to communicate information to the IPAS server once the customer submits the form. You must use the variables names shown.
Important Note Any additional hidden variables passed by the form to the IPAS server will be ignored. You must save all necessary information about the order before the customer submits this form to the IPAS server.
Hidden Variable Name Required? Allowed Value(s) HTML Example ORDERID Yes the full order identification string for the order <INPUT TYPE="hidden" NAME="ORDERID" VALUE="account_name-1998102114100701"> The Order Id must begin with the central WWW server account name that you applied for and obtained earlier. This name is followed by a '-' (dash). The rest of the order id consists of the 4-digit year, 2-digit month, 2-digit day, 2-digit hour (24-hour format), 2-digit minute, 2-digit second, and a 2-digit value from 00 to 99 to ensure uniqueness.
Hidden Variable Name Required? Allowed Value(s) HTML Example REVIEW No A full URL that will be used as a link on the University Credit Card Data Entry Form to return the customer back to the merchant's store should they elect not to enter their credit card information, but do not wish to leave the merchant's store. <INPUT TYPE="hidden" NAME="REVIEW" VALUE="{full URL}">
LEAVE No A full URL that will be used as a link on the University Credit Card Data Entry Form to return the customer back to the merchant's storefront website should they elect not to enter their credit card information and wish to cancel the order and leave the merchant's storefront <INPUT TYPE="hidden" NAME="LEAVE" VALUE="{full URL}"> You can test your form by submitting it to the IPAS server and examining the source of the HTML of the University Credit Card Data Entry Form that is sent back to make sure that your use of the ORDERID, and optionally, REVIEW and LEAVE hidden variables is correct.
- Second, you will need to make modifications to the ipasagent.cgi program that you retrieved earlier. Let's review the purpose and operation of the ipasagent.cgi program.
The ipasagent.cgi program is a CGI program which only accepts connections from the IPAS server and communicates information concerning a transaction to the IPAS server and receives information from the IPAS server concerning the outcome of an authorization attempt with Verisign.
The supplied ipasagent.cgi program is a Perl 5 CGI script which uses no special libraries and is largely compatible with the current implementations of Perl 5 on UNIX, Windows/NT, and MacOS platforms. It is important to consider that the functionality of ipasagent.cgi as a CGI program could be implemented using another programming language or development tool.
In order to clarify the relationship between the merchant website storefront, the ipasagent.cgi program and the IPAS server, it is helpful to examine the 'anatomy' of a hypothetical credit card payment authorization request as a series of steps.
- A customer is viewing the 'launch' form that you created in the previous step. The customer presses a submit button on the form corresponding to a 'pay by credit card' type of choice, and the form is sent to the IPAS server. At this point, the merchant's website storefront is temporarily not in control of the customer's browser display.
- The IPAS server sends the University Credit Card Data Entry Form to the customer's browser. The credit card data entry form has from 1 to 3 'submit' buttons from which the customer may select depending on the use of the 'hidden variables' that are part of the 'launch' form described above.
- The user enters the credit card information and presses the 'Pay Now' submit button. The form is sent back to IPAS server and the authorization attempt with Verisign begins.
- Request Mode: The IPAS server first issues a standard HTTP request to activate the ipasagent.cgi CGI program on the merchant's website storefront. This first communication is called: 'Request Mode' In 'request mode', ipasagent.cgi is passed the Mode Indicator, the Merchant Name and the Order Id.
The ipasagent.cgi program contains a subroutine called IPAS_CheckRequestorValidity, which performs a number of checks each time it is called, to verify that the requestor is indeed, the IPAS server, and that the origin and format of the the request is correct. The additional step of having the ipasagent.cgi script protected by an .htaccess file and having the IPAS server submit a username and password for access is being considered for inclusion in a future release of the ipasagent.cgi program.
The Merchant Name and Order Id are used by a merchant-specific section of the the ipasagent.cgi program to locate and retrieve the total dollar amount for which payment is to be authorized. The method by which the dollar amount is retrieved is handled by one subroutine (IPAS_GetOrderAmount) that is fully customizable by the merchant.The ipasagent.cgi script then sends a status code back to the IPAS server which must be one of the following:
- A positive dollar amount greater than 0.00 for which a payment authorization request should be made
- A negative value such as of -1, -2, -3, indicating an error condition. These values and the associated meanings are shown below.
Error Name Error Code Meaning IPAS_InvalidOrderID -1 No order amount information could be located for the Order Id received IPAS_InvalidRequestMethod -2 A message was received with an invalid HTTP method IPAS_InvalidUserAgent -3 A message was received with an invalid HTTP user agent identification. IPAS_InvalidIPNumber -4 A message was received from an invalid IP number IPAS_InvalidHostName -5 A message was received from an invalid hostname IPAS_InvalidMerchantName -6 The merchant name received is not the merchant name of the receiving storefront IPAS_InvalidOrderIDFormat -7 An Order Id has an invalid format IPAS_InvalidMode -8 The Mode Indicator is not a request or a reply
- The IPAS server receives the amount of the purchase and submits the credit card data and purchase amount to the Verisign's Cash Register server for authorization. Verisign performs the authorization attempt with the banking network and sends back an authorization result status to the IPAS server.
Any Order Id that IPAS sends to the Verisign Cash Register service will also have a single letter appended to the end denoting the type of credit card that was used in case the associated transaction must be researched. The letters used are shown below.
Card Type Supported? Card Number Prefix Letter Appended
to Order IdVISA Yes 4 V MasterCard Yes 5 M Discover Yes 60 D American Express Yes 37 A Diner's Club Not Currently 38 C
- Reply Mode: The IPAS server receives authorization result status information from Verisign and issues a second HTTP request to activate the ipasagent.cgi program on the merchant's website storefront. This second communcation is called: 'Reply Mode'. In 'reply mode', ipasagent.cgi is passed the Mode Indicator, the Merchant Name, the Order Id and the authorization result information.
Again, the IPAS_CheckRequestorValidity subroutine verifies that the requestor identity, origin, and format of the the request is acceptable.
The ipasagent.cgi program then performs any necessary merchant-specific storefront operations consistent with the outcome returned. Finally, a full URL is sent back to the IPAS server as a reply. This URL points to an appropriate location within the merchant's website storefront depending on the authorization outcome. The IPAS server then redirect's the customer's browser to this location and control is returned to the merchant's website storefront.
How can I test my storefront without going 'live' with the public?
It is strongly advised that you create a rigorous plan for testing your storefront with the IPAS server and Verisign. There are 2 levels of testing that you can perform with IPAS, Verisign and the IU Office of the Treasurer before you allow real customers to make real purchases, the evidence of which shows up in the IU general ledger associated with your account. This can be thought of as 'going live'.
- Level 1 Testing
When you receive your Verisign account, the account is set by default to not pass requests for authorization on to the banking network. This is done to allow for an initial testing period for a merchant. At this level all requests for authorizations by the IPAS server will be received by a test Verisign CashRegister server at Verisign. The test server will record but not send the request on to the banking network for the authoritative authorization. In this way, your storefront is not really 'live' and so the public should NOT be allowed to enter the portion of your storefront that you are using for your testing.
Verisign can provide 'test' credit card numbers which can be used to simulate conditions such as the card having expired, the amount to be authorized being unacceptable, etc. Depending on the values that you supply during testing on the University Credit Card Data Entry Form for the 'test' credit card's expiration date and the dollar amount you are attempting to authorize, these conditions can be elicited from the test Verisign server.
- Level 2 Testing
Contact the IU Office of the Treasurer when you feel you are ready to perform additional testing with your Verisign account switched from 'test' status to 'live' status. Once your Verisign account is in live status, requests for authorizations from IPAS will no longer go to the test Verisign server. Instead, they will be sent to the 'live' Verisign server (which provides better response times than the test server) and on to the banking network for the authoritative authorization. The replies that are received back to IPAS are authentic authorizations on the card number used and the transactions will appear in the IU general ledger. At this level, the general public should still NOT be allowed to enter the portion of your storefront that you are using for your testing. The IU Treasurer will supply you with special credit card numbers that have been provided by IU's bank processor. Any use of these cards can be tracked and intercepted by the Treasurer so that they can confirm with you that the transactions are appearing in the general ledger properly. This level can be called 'controlled live' testing. During this testing, you should work with the IU Treasurer in order to make them aware of all of your test transactions including the Order Id, the credit card number that was used and the amount of the test purchase.'Level 2' testing is essentially 'live' testing except that the times and types of 'purchases' are tightly crontrolled by you and the IU Treasurer and special credit card numbers are used which make this process easier.
How do I 'go live'?
When you and the IU Treasurer are satisfied that your website storefront is handling purchases assisted by IPAS and Verisign properly, and that the transctions are appearing correctly in the IU general ledger, you can agree on a date and time when your entire IPAS/Verisign-enabled secure website storefront can be opened to Internet customers.
Last Modified: 03 January 2007
Copyright 2007, The Trustees of Indiana University
